manualshive.com logo in svg

Novell APPARMOR - AND, Admin Manual

Share
Download
Novell APPARMOR - AND Admin Manual Download Page 13

13

How To Immunize With Novell AppArmor

each of these programs. For instance, adding the line

/srv/www/cgi-bin/my_hit_counter.pl rpx,

 

woul

gr

ant

 

Apache permission to execute the PERL script

my_hit_counter.pl

and require that there be a dedicated profile for

my_hit_counter.pl

. If

my_hit_counter.pl

does not have a

dedicated profile associated with it, then the rule should say

/srv/www/cgi-bin/my_hit_counter.pl rix,

 

t

cause 

my_hit_counter.pl

to inherit the

usr.sbin.httpd2-prefork

profile.

Some users may find it inconvenient to specify execute permission for

every CGI script that Apache may invoke. Instead, the administrator

can grant controlled access to collections of CGI scripts. For instance,

addi

ng 

t

he 

l

i

ne 

/srv/www/cgi-bin/*.{pl,py,pyc} rix,

 

wi

l

l

 

allow Apache to execute all files in

/srv/www/cgi-bin/

ending in

.pl

(PERL scripts) or

.py

or

.pyc

(Python scripts). As above, the

ix

 

par

t

 

of

 

t

he 

r

ul

causes 

t

he 

Pyt

hon 

scr

i

pt

t

i

nher

i

t

 

t

he 

Apache 

profile, which is appropriate if you do not want to write individual pro-

files for each Python script.

Note:

If you want the Sub-process confinement module

(

mod_change_hat

) functionality when web applications handle

Apache

modules

, (

mod_perl

and

mod_php

), insert the Novell AppAr-

mor sub-process confinement module into the Apache web server.

The Novell AppArmor installer installs this modified Apache web

server along with

change_hat

. Novell AppArmor for Apache is pro-

vided by the

mod_change_hat

Apache module. To take advantage

of

 

t

he 

sub-

pr

ocess 

conf

i

nement

,

 

r

ef

er

 

t

Apache ChangeHat

 

on 

page 79.

Profiling web applications that use

mod_perl

and

mod_php

require

sl

i

ght

l

di

f

f

er

ent

 

handl

i

ng.

 

I

t

hi

case,

 

t

he 

pr

ogr

am”

 

i

scr

i

pt

 

i

nt

er

-

preted directly by the module within the Apache process, so no

exec

happens. Instead, the Novell AppArmor version of Apache calls

change_hat()

 

nami

ng 

subpr

of

i

l

(

hat

)

 

cor

r

espondi

ng 

t

t

he 

name of the URI being requested.

1

For

mod_perl

and

mod_php

scripts, this will be the name of the PERL script or the PHP page

requested. So for example, adding this subprofile to

foo

will allow the

Summary of Contents for APPARMOR - AND

Page 1: ...Admin Guide Novell AppArmor Powered by Immunix...

Page 2: ...How to Build AppArmor Profiles 16 Profile Components and Syntax 16 Breaking Down the AppArmor Profile Into Its Parts 16 include 18 Capability Entries POSIX 1e 19 Choosing the YaST GUI YaST ncurses Co...

Page 3: ...69 Creating Reports 70 Maintaining Your Security Profiles 73 Backing Up Your Security Profiles 74 Changing Your Security Profiles 74 Introducing New Software Into Your Environment 74 Profiling Your W...

Page 4: ...library of Novell AppArmor profiles for common Linux applications describing what files the program needs to access A library of Novell AppArmor profile foundation classes profile building blocks need...

Page 5: ...y This style should indicate to you that you can type the word or phrase on the command line and press Enter to invoke a command Example To use ls to view the contents in the current directory you wou...

Page 6: ...own programs and 3rd party programs that you may have installed on your SuSe Linux It also helps you to add edit or delete profiles that have been created for your applications Chapter 5 Managing Pro...

Page 7: ...he YaST GUI The SuSE LINUX Enterprise Server 9 offers the SUSE utility Yet Another Setup Tool YaST Using YaST you can launch the Novell AppArmor interface This is the recommended method for a novice L...

Page 8: ...zard o np a g e2 4 Edit Profile Edits an existing Novell AppArmor profile on your sys t e m F o r d e t a i l e ds t e p s r e f e r t o Editing a Novell AppArmor Profile on page 29 Delete Profile Del...

Page 9: ...view Novell AppArmor Security Events For detailed steps r e f e r t o Creating Reports o np a g e7 4 Novell AppArmor Control Panel F o r d e t a i l e ds t e p s r e f e r t o Man aging Novell AppArmo...

Page 10: ...troduces you to the philosophy of Immunizing programs Proceed to Chapter 4 How to Build Novell AppArmor Profiles i f y o u r er e a d y t ob u i l da n dma n a g e Novell AppArmor profiles How To Immu...

Page 11: ...e slocate database up to date with sufficient privilege to read the name of every file in the system For instructions on using Novell AppArmor for this type of program refer to Immunizing Cron Jobs o...

Page 12: ...tab e a n d l i s t r o o t s c r o nt a s k s w i t h crontab l Y o umu s t b er o o t f o r t h e s et o work Immunizing Web Applications To find web applications you should investigate your web ser...

Page 13: ...e which is appropriate if you do not want to write individual pro files for each Python script Note If you want the Sub process confinement module mod_change_hat functionality when web applications ha...

Page 14: ...r as many of those programs as possible If you provide profiles for all programs with open network ports then for all possible network threats the attacker cannot get to the file system on your machin...

Page 15: ...ppAr mor profile associated with each program or reports none if the pro gram is not confined Note If you create a new profile you must restart the program that has been profiled in order for unconfin...

Page 16: ...rk client applications tend to only be running when the user is interested in them Applying Novell AppArmor profiles to user network client applications is a l s od e p e n d e n t o nu s e r s p r e...

Page 17: ...i n g t h i s s y n t a x i s p r e s e n t e d o n Breaking Down the Novell AppArmor Profile Into Its Parts o np a g e1 7 Breaking Down the Novell AppArmor Profile Into Its Parts Novell AppArmor pro...

Page 18: ...eral forms include directives that pull in components of Novell AppArmor profiles to simplify profiles Capability Entries statements that enable each of the 32 POSIX 1e capabilities Path Entries in wh...

Page 19: ...mage that the attacker can do to the set of files permitted by Novell AppArmor include includes are directives that pull in components of other Novell AppAr mor profiles to simplify profiles Include f...

Page 20: ...in the program chunks are typically very liberal and are designed to allow your users access to their files in the least intrusive way possible while still allowing system resources to be pro tected A...

Page 21: ...Armor profiles and is better suited for users with limited bandwidth connections to their server Access the YaST ncurses con sole by typing yast2 while logged into a terminal window as root The YaST n...

Page 22: ...es back to enforce mode and the system begins enforcing the rules of the profiles not just logging information For mo r ei n f o r ma t i o no nt h i s t o o l r e f e r t o Enforce Mode o np a g e5 5...

Page 23: ...Novell AppArmor Click one of the following Novell AppArmor icons and proceed to the section referenced below A d dP r o f i l eWi z a r d F o r d e t a i l e ds t e p s r e f e r t o Using the Add Pro...

Page 24: ...e Novell AppArmor profiling tools GenProf Generate Profile and LogProf Update Profiles From Learning Mode L o gF i l e F o r mo r ei n f o r ma t i o na b o u t t h e s et o o l s r e f e r t o Summar...

Page 25: ...AppArmor also sets the profile to learn i n gmo d e F o r mo r ei n f o r ma t i o no nl e a r n i n gmo d e r e f e r t o Com plain or Learning Mode o np a g e5 4 6 Execute the application that is b...

Page 26: ...ition has not been defined see Figure 2 below Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile The fo...

Page 27: ...icular globbed version of the path or the actual path name All of these options are not always available include An include is the section of a Novell AppArmor pro file that refers to an include file...

Page 28: ...ermission access For more information on t h i s r e f e r t o File Permission Access Modes o np a g e6 9 Deny Click the Deny button to prevent the program from access ing the specified directory path...

Page 29: ...dialog box which saves the profile to disk and loads it into the Novell AppArmor module 13 The previous steps can be repeated if you need to execute more functionality of your application 14 When you...

Page 30: ...e r sG u i d e 30 2 From Novell AppArmor click the Edit Profile icon The Edit Profile Choose Profile to Edit window displays 3 From the list of profiled programs select the profile you would like to e...

Page 31: ...AppArmor profile entries by clicking the corre s p o n d i n gb u t t o n s a n dr e f e r r i n gt ot h ef o l l o w i n gs e c t i o n s Add Entry o np a g e4 0 Edit Entry o np a g e4 3 o r Delete...

Page 32: ...dl i k et od e l e t e a profile for then delete it as follows 1 To delete a profile open the YaST GUI and click Novell AppAr mor The Novell AppArmor interface displays 2 From Novell AppArmor click th...

Page 33: ...n that is outside of the profile defini tion for the program You can add the new behavior to the relevant profile by selecting the suggested profile entry 1 To update a profile from syslog entries ope...

Page 34: ...curity domain transition has not been defined see Figure 2 below Each of these cases will result in a question that you must answer that enables you to add the resource or program into the profile The...

Page 35: ...bbed version of the path or the actual path name All of these options are not always available include An include is the section of a Novell AppArmor pro file that refers to an include file Include fi...

Page 36: ...e s s F o r mo r ei n f o r ma t i o no nt h i s r e f e r t o File Per mission Access Modes o np a g e6 9 Deny Click the Deny button to prevent the program from access ing the specified directory pa...

Page 37: ...r of learning mode entries corresponds to the com plexity of the application 6 When completed click the Finish button which saves the profile to disk and loads it into the Novell AppArmor module Manua...

Page 38: ...the Manually Add a Novell AppArmor Profile icon The Select a File to Generate Profile for window dis plays 3 From the Select a File to Generate Profile for window browse your system to find the applic...

Page 39: ...om the Novell AppArmor Profile Dialog window You can Add Edit or Delete Novell AppArmor profile entries by clicking the corre s p o n d i n gb u t t o n s a n dr e f e r r i n gt ot h ef o l l o w i n...

Page 40: ...ist select one of the following File In the pop up window specify the absolute path of a file including the type of access permitted When finished click the OK button You can use globbing if necessary...

Page 41: ...n finished click the OK button For globbing information refer to Path Names and Regular Expression Matching o np a g e6 9 For file access permission infor mation refer to File Permission Access Modes...

Page 42: ...finished making your selections click the OK button Include In the pop up window browse to the files you would like to use as includes Includes are directives that pull in components of other Novell...

Page 43: ...ission information refer to File Permission Access Modes o np a g e6 9 Delete Entry When you click the Delete Entry button Novell AppArmor removes the Novell AppArmor profile entry that is highlighted...

Page 44: ...con the Novell AppArmor Configuration window displays as shown below 2 From the Novell AppArmor Configuration screen determine whether Novell AppArmor and Security Event Notification are run ning by l...

Page 45: ...or you set it to enable or disable When Novell AppArmor is enabled it is installed running and enforcing the Novell AppArmor security policies 1 To enable Novell AppArmor open the YaST GUI and click N...

Page 46: ...e GUI to manage and configure your system security Checking the SubDomain Module Status The SubDomain module can be in one of three states Unloaded The SubDomain module is not loaded into the kernel R...

Page 47: ...e stopped state If the SubDomain module was either unloaded or already stopped then stop tries to unload the pro files again but nothing happens etc init d subdomain restart Causes SubDomain module to...

Page 48: ...ain detailed steps for build ing profiles Add or Create Novell AppArmor Profiles R e f e r t o Add or Create a Novell AppArmor Profile o np a g e4 9 Edit Novell AppArmor Profile R e f e r t o Edit Nov...

Page 49: ...r s a n dma i l s e r v e r s Sys temic Profiling o np a g e5 1 Edit Novell AppArmor Profile The following steps tell you what you need to do in order to edit a Nov ell AppArmor profile To better unde...

Page 50: ...f o r mo r ei n f o r ma t i o n r e f e r t o Standalone Profiling o np a g e5 0 s u i t a b l ef o r p r o f i l i n gs ma l l a p p l i c a t i o n s t h a t have a finite run time such as user cl...

Page 51: ...ding a Novell AppArmor profile for a group of applications is as fol lows 1 Create profiles for the individual programs that make up your application Even though this approach is systemic Novell AppAr...

Page 52: ...ssages and run faster 6 Edit the Profiles You may wish to review the profiles that have been generated You can open and edit the profiles in etc subdo main d using vim For help using vim to its fulles...

Page 53: ...a n be a fully qualified path The program itself can be of any kind ELF binary shell script PERL script etc and autodep will still generate an approximate profile to be improved through the dynamic p...

Page 54: ...ofiled program accessing files not permitted by the profile The violations are permitted but also logged To improve the profile turn complain mode on run the pro gram through a suite of tests to gener...

Page 55: ...accessing files not permitted by the profile The violations are logged and NOT permit ted Turn complain mode on when you want the Novell AppArmor pro files to control the access of the program that is...

Page 56: ...p r o f o r G e n e r a t eP r o f i l e i s N o v e l l A p p A r mo r s p r o f i l eg e n e r a t i n g utility It Autodeps the specified program creating an approximate pro file if a profile does...

Page 57: ...s the pro gram requires access to in order to function properly For example in a new terminal window type etc init d apache2 start 4 You are given the following menu choices which can be used after yo...

Page 58: ...ess controls as the parent This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target s profile or losing the permis sions of the...

Page 59: ...All of these options are not always presented in the Novell AppArmor menu include An include is the section of a Novell AppArmor profile that refers to an include file Include files procure access per...

Page 60: ...ur own rule for this event allow ing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy the event that prompted the question in the first...

Page 61: ...with sugges tions for modifying the profile The learning complain mode traces pro gram behavior and enters it in syslog Logprof uses this information to observe program behavior If a confined program...

Page 62: ...mor rules that could be added by pressing the number of the item on the list By default logprof looks for profiles in etc subdomain d and scans the log in var log messages so in many cases just runnin...

Page 63: ...on to the next event N e w Prompts you to enter your own rule for this event allow ing you to specify whatever form of regular expression you want If the expression you enter does not actually satisfy...

Page 64: ...2 In an example from profiling vsftpd we see this question Several items of interest appear in this question First note that vsftpd is asking for a path entry at the top of the tree even though vsftp...

Page 65: ...o call another confined program without gain ing the permissions of the target s profile or losing the permissions of the current profile This mode is often used when the child program is a h e l p e...

Page 66: ...mail profile so that when usr bin mail runs usr bin mail less in this context the less program is far less dangerous than it would be without Novell AppArmor protection I no t h e r c i r c u ms t a n...

Page 67: ...l c o l o r t h el i n e s o f t h ep r o f i l ef o r y o u blue include lines that pull in other Novell AppArmor rules and comments that begin with white ordinary read access lines brown capability...

Page 68: ...more information on the science and security of Novell AppArmor refer to the following papers S u b D o ma i n P a r s i mo n i o u s S e r v e r S e c u r i t y C r i s p i nC o w a n S t e v e Beat...

Page 69: ...ary number of path elements including entire directories Can substitute for any single character except abc This will substitute for the single character a b or c For example a rule that matches home...

Page 70: ...without any Novell AppAr mor profile being applied to the executed resource Requires listing execute mode as well Incompatible with Inherit and Discrete Profile execute entries This mode is useful wh...

Page 71: ...gram to be able to create and remove a link with this name including symlinks When a link is created the file that is being linked to MUST have the same access permissions as the link being created wi...

Page 72: ...Your Secured Applications Applications that are confined by Novell AppArmor security profiles will generate messages when applications execute in unexpected ways or outside of their specified profile...

Page 73: ...new line in the Verbose log These security events include the date and time the event occurred when the appli cation profile permits access as well as rejects access and the type of file permission ac...

Page 74: ...filtering by date range or program name You can also export an html or text file 1 To run reports open the YaST GUI and click Novell AppArmor The Novell AppArmor interface displays 2 From Novell AppA...

Page 75: ...pertain to the program you specify Export Report Enables you to export a CSV comma separated values or html file The CSV file separates pieces of data in the log entries with commas using a standard d...

Page 76: ...duction enviroment you should plan on maintaining profiles for all of the deployed applications The security policies are an integral part of your deployment You should plan on taking steps to backup...

Page 77: ...or on another PC Changing Your Security Profiles Maintenance of security profiles includes changing them if you decide that your system requires more or less security for its applications To c h a n...

Page 78: ...nt the your best method for updating your profiles is to do one of the following Monitor the system frequently to determine if any new rejections should be added to the profile and update as needed us...

Page 79: ...ll AppArmor module to switch security domains at arbitrary times during the application execution A profile can have an arbitrary number of subprofiles but there are only 2 levels a subprofile cannot...

Page 80: ...i c a t e d T h e y both allow you to manage the hats for your application and populate them with profile entries In the following steps we walk you through a demo that will add Hats to an Apache pro...

Page 81: ...ping etc init d apache2 stop and then etc init d apache2 start in a terminal window while logged in as root Note Any program you are profiling you would restart at this point 5 Type http localhost php...

Page 82: ...b o u t t h e s c r i p t s a c t i o n s w i l l b e a d d e d t o t h e n e w l y created hat rather than the default hat for this application In the next screen Novell AppArmor displays an externa...

Page 83: ...ons will prompt you to generate new hats and add entries to your profile and its hats The process of adding e n t r i e s t op r o f i l e s i s c o v e r e di nd e t a i l i nt h es e c t i o n Using...

Page 84: ...ly Add Novell AppArmor Profile f o r i n s t r u c t i o n s r e f e r t o Manually Adding a Profile o n page 37 you are given the option of adding Hats subprofiles to your Novell AppArmor profiles ph...

Page 85: ...g window 1 From the Novell AppArmor Profile Dialog window click Add Entry then select Hat The Enter Hat Name dialog box displays 2 Enter the name of the hat you would like to add to the Novell AppArmo...

Page 86: ...or mod_change_hat Apache has configuration files that customize the way Apache func tions Apache is configured by placing directives in plain text configuration files The main configuration file is us...

Page 87: ...osts are con sidered internally within apache to be seperate servers so you can set a default hat name for the default server as well as one for each virtual host if desired When a request comes in to...

Page 88: ...it refers to a pathname in the filesystem as seen in the following exam ple Example The program phpsysinfo is used to illustrate a Location directive in the following example The tarball can be downlo...

Page 89: ...che2 restart into a terminal window while logged in as root 5 Enter http hostname sysinfo into a browser to receive the system information that phpsysinfo delivers Location sysinfo ImmHatName sysinfo...

Page 90: ...U s e r sG u i d e 90 6 Track down configuration errors by going to the var log syslog or running dmesg and looking for any rejections in the output...

Page 91: ...or a variety of reasons including not having all of the required devtools packages installed having a Linux kernel source tree that does not match your running kernel and not having a Linux kernel sou...

Page 92: ...uted in sections The sections are numbered 1 through 8 Each section is specific to a category of documentation section 1 is user commands section 2 is system calls section 3 is library functions secti...

Page 93: ...Running genprof as a non root user produces a similar result Again run genprof only as root You must also run the subdomain start and subdomain stop scripts as root Running them as a non root user pr...

Page 94: ...ailing list at Novell AppArmor users mail wirex com You can subscribe to this list at http mail wirex com mailman listinfo immunix users The announcement list is for announcements only the email for i...

Page 95: ...software pack ages See http www rpm org for more information SSH Secure Shell A service that allows you to access your server from a remote computer and issue text commands through a secure connection...

Page 96: ...ed to users and to files and other objects The controls are mandatory in the sense that they cannot be modified by users or their programs Application firewalling SubDomain contains applications and l...

Reviews:

No comments

Brands by name

Popular brands

Load more brands